Skip to content

Additional Threat Object Types

Increasing the number of threat object types you track in Risk Rules can be really helpful for tuning noisy alerts, threat hunting on anomalous combinations, and automating SOAR enrichment to unique threat object types. Haylee and Stuart's Threat Object Fun dashboards can be helpful for all three.

Threat Object Types

Some potential threat_object_types to keep in mind when creating risk rules:

source threat_object_type
email, endpoint, network, proxy ip
email, endpoint, proxy src_user
email, endpoint, proxy user
endpoint, email file_hash
endpoint, email file_name
endpoint, proxy domain
endpoint, proxy url
email email_subject
email email_body
endpoint command
endpoint parent_process
endpoint parent_process_name
endpoint process
endpoint process_file_name
endpoint process_hash
endpoint process_name
endpoint registry_path
endpoint registry_value_name
endpoint registry_value_text
endpoint service
endpoint service_dll_file_hash
endpoint service_file_hash
proxy certificate_common_name
proxy certificate_organization
proxy certificate_serial
proxy certificate_unit
proxy http_referrer
proxy http_user_agent

Other Types

You could also use open-source server handshake hashing algorithms like JA3, JA4, JARM, or CYU to identify anomalous server handshakes and potentially include:

  • ja3_hash
  • ja3s_hash
  • ja4_hash
  • jarm_hash
  • cyu_hash
  • asn

Last update: December 6, 2023
Created: December 1, 2023